The UK Corporate Governance Code has expanded. It now impacts companies beyond the FTSE Premium Listing, including those listed in the commercial companies’ categories and closed-ended investment funds. This means that applicable companies have new challenges and requirements to consider for financial years beginning on or after January 1, 2025. The most significant of these challenges comes via Provision 29, which takes effect in 2026.
Provision 29 involves companies monitoring, reviewing, and reporting on the effectiveness of their material financial and non-financial risk management and internal controls framework. While companies are generally comfortable with financial controls due to established frameworks such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as leveraged by SOX and others, the requirement to apply similar rigor to non-financial controls is proving particularly tricky for many businesses. That’s because these areas are more company-specific and sector-dependent, without clear precedents to follow. Moreover, while Provision 29 offers companies a set of rules, the guidance provided by the Financial Reporting Council (FRC) is not prescriptive. Rather, it leaves companies to interpret and customize exactly how their compliance approaches are developed, creating uncertainty and a lack of clarity for many organizations.
Turnkey recently hosted a roundtable to discuss the UK Corporate Governance Code with our internal controls’ community, with a focus on Provision 29. The roundtable illuminated the challenges many businesses are having—in particular, while they understand the principles of the code, they’re struggling with practical implementation and compliance.
In this blog, we explore the key challenges businesses like yours are facing with Provision 29, how to implement an efficient and effective approach based around stakeholder alignment and proportionate control frameworks, and how compliance can be used as a business opportunity.
What’s causing UK Corporate Governance Code uncertainty?
Our conversations with participants during the roundtable event revealed the widespread challenges companies are facing with Provision 29. While 75% of participating companies said they have made some progress, 60% said they had gaps in understanding their requirements. Further, only 20% said they felt largely prepared and on track to meet compliance requirements.
The open-endedness within the FRC’s guidance means many businesses aren’t sure exactly what they need to do to meet Provision 29 requirements. Reasons for this include:
- The requirements within the guidelines can seem too open to interpretation.
- Defining, documenting, testing, and reporting on non-financial controls can be complicated, and can vary substantially according to the size, operations, and industry of the business concerned.
- The level of detail and granularity needed for control programs is unclear.
While companies must ensure their control framework is sufficient to prevent material findings that would need to be publicly declared, many are hesitant to commit to an overly detailed, granular controls program. Moreover, they may believe a less detailed approach is perfectly suitable for their business. As our roundtable discussions revealed, balancing these competing priorities—maintaining proportionality while providing adequate assurance—is a key challenge for compliance teams in this first implementation year.
The pitfalls of a one-size-fits-all controls framework
Many organizations have mistakenly applied SOX-level granularity to Provision 29 implementation, creating controls frameworks that are unnecessarily mature and detailed for their context. A one-size-fits-all approach often fails to recognize the company-specific nature of controls emphasized by the FRC. This is particularly problematic for smaller companies in less-regulated industries.
Issues also arise when companies treat their Control Framework implementation as a standalone exercise rather than integrating it with broader business initiatives. A siloed approach often neglects wider business changes in progress and delays critical stakeholder alignment until late in the implementation process, both leading to costly, disruptive, and onerous reworking the control framework.
The key is to establish an appropriate and aligned controls framework within the context of your business, in which controls help, not hinder, the pursuit of strategic objectives and transformation efforts. Failure to do so poses risks, including:
-
Resource inefficiency: Overly detailed frameworks take up valuable time and effort that could be better used on other business priorities.
-
Resource-intensive reworking: If material controls and testing approaches aren’t properly defined due to disconnection with wider transformation projects, or changes are made to avoid declaring failures, it can take a lot of time and money to rework them retrospectively.
-
Reputational damage: As control failures must be publicly disclosed, any issues can affect public and investor confidence.
-
Financial loss: Any controls failures publicly declared can affect share prices and future investment.
Six steps to right-sized Control Frameworks
At Turnkey, we advocate for a pragmatic, right-sized approach to Provision 29, built around six key steps:
-
Identifying initial principal risks, to which material risks and controls can be mapped.
-
Defining internal risk appetite and what ‘material’ means in this context.
-
Piloting by starting with one principal risk area and defining low-level risks and material controls within them.
-
Aligning with other internal controls and risk teams, external auditors, the audit committee, and senior leadership.
-
Documenting the alignment in writing as an agreed final position.
-
Expanding the aligned approach across other identified risks.
The result is a proportional framework that is focused on material controls rather than excessive documentation; is aligned with existing risk management processes, and has the support of key stakeholders who are less likely to want late-stage changes.
For companies that have already begun implementation but are struggling with the approach, we’d recommend revisiting the definition of material controls and stakeholder alignment before proceeding further.
In summary: Transforming compliance obligations into opportunity
A practical, right-sized approach to Provision 29 can deliver transformative benefits, not only in compliance, but far beyond as well. These include, and are by no means limited to:
-
Smoother compliance journeys with lower risk of having to declare material control failures.
-
More efficient use of time and resources.
-
Better alignment between risk management, internal controls, and business objectives.
-
Greater stakeholder confidence, elevating compliance and controls functions as business partners.
-
Cost savings through increased automation and efficiency (e.g. reducing control testing costs by £300,000 a year).
-
Better business decision-making thanks to improved data quality.
-
Wider opportunity to integrate compliance with other business transformation activities, such as S/4HANA implementations, mergers and acquisitions.
Partnering with Turnkey can help you explore the steps to efficiently and effectively comply with Provision 29. We can support you with a Controls Maturity Assessment, strategy planning, advisory expertise, and the implementation of all the technology you need, including automated controls, access management systems and cyber security.
Contact our controls specialists today to discuss how we can support your Provision 29 compliance journey.
